Ransomware, Trojan and Miner together against “PIK-Group”

Security expert Marco Ramilli analyzed a new piece of malware apparently designed to target PIK-Group that implements ransomware, Trojan, and Miner capabilities.

When an unknown sender suggests me to click on a super wiredurl, dropping a ZIP file straight in my box, by saying it’s getting the next targeted attack on a huge company, well I kinda looking forward to it! So I clicked on the link (see IOC section) and I’ve downloaded a “pik.zip” file. The zip file wrapped out an interesting “cyrillic looking” javascript file named: Группа Компаний ПИК подробности заказа, which according to google translate would be: “PIK Group of Companies order details”. It looks like a crafted file for PIK-Group ,one of the most important real estate companies based in Russia with more then 14k employees! By analysing such a script it’s clear that it wont be a piece of cake. The script is heavily obfuscated with more techniques. As you might appreciate from Stage0 (following image) there are two main obfuscation streams: the first one is implemented by introducing fake static forks such as: “if” and “cases” and the second one is implemented by dynamically building function blocks from nested strings which are either dynamically built and separated into multiple concatenation steps.

Javascript Stage0

The script eventually drops and executes (Stage0 Execution phase follows) a fake image file (msg.jpg) which actually is an UPX packet windows PE acting as second stage. The second stage drops and executes three additional modules: a backdoor, a Miner and finally a quite known Ransomware. It actually weird to understand the attacker’s needs, at such point, why so many different actors in an unique attack ?

Stage0 Execution

According to pcrisk, the first downloaded module (327B0EF4.exe) looks like a well-known Troldesh Ransomware. This particular ransomware renames files so that they comprise a line of characters and digits and adds the “.crypted000007” extension to each. For example, after encryption, the file “1.jpg” might have an appearance similar to this example: “hmv8IGQE5oYCLEd2IS3wZQ==.135DB21A6CE65DAEFE26.crypted000007”. Furthermore, Crypted000007 creates ten ransom-demand messages (with identical content) called “README1.txt”, “README2.txt” … “README10.txt” and places them on the desktop. This virus also changes the desktop wallpaper. The following image shows the ransom note that I’ve got during the infection phase.

Ransomware Note

The second installed module (37ED0C97.exe) is well-known piece of software as well. It’s a Miner called nheqminer. Nheqminer is a great implementation of equihash mining, mainly used on NiceHas but forked many times and todays is getting used for several spare projects as well. Nheqminer is a specific miner for Zcash value based on common PCs. You might want to checkout more here. Exploring memory snapshots during its execution can be easy to figure out the miner runs over Zcash.Flypool server mining for the following wallet address.

Attacker Wallet

According to zcashnetwork the attacker’s wallet received from mining activity 4.89 ZCash (lsat transaction on February 26th, 2019) so far. This amount suggests that the attacker activity is started (re-started) few days ago or its infected botnet is not so big at that time.

According to Virustotal the third installed module ( B56CE7B7.exe) is another well-known software called Trojan-Heur and (in)famous during 2017 to perform brute force attack on WordPress based websites.

A typical behaviour for Trojans like HEUR.Trojan.Win32.Generic is one or all of the following:Download and install other malware.Use your computer for click fraud.Record your keystrokes and the sites you visit.Send information about your PC, including usernames and browsing history, to a remote malicious hacker.Give a remote malicious hacker access to your PC.Advertising banners are injected with the web pages that you are visiting.Random web page text is turned into hyperlinks.Browser popups appear which recommend fake updates or other software

Indeed it behaviour perfectly fits the Malware family behaviour. Once installed on victim PC it starts to brute force many websites looking for weak credentials. Once it finds weak credentials it installs itself into the WordPress website maintaining the original name: “pik.zip”. Thanks to this characteristic it would be possible to enumerate infected website through a combined searches on google engine (please see dropping urls).

BruteForce Module and installation path

The following image shows the main actor connections and their relationships. The analysed implant is quite interesting since rises many questions, for example: Why the attacker pretends to build a targeted attack to PIK-Group (using crafted strings) with refurbished malware ? Why the implant installs a “miner” and a “ransomware” as well ? While it might be understandable the usage of software for harvesting money, why the attacker introduced a brute force Trojan bot ?

Main actors map

On my personal point of view, it’s a quite weird behavior goes pretty far from classical state-sponsored attacks. We are facing an actor who apparently wants money (ransomware and miner), but also want credentials and want to be able to control the victim’s box in the future. But we are facing again an actor who is using the victim to brute force third-party random websites as well. This activity is quite heavy and it ‘s easy to be detected and to be blocked from security administrators or IT guys, which is clearly, in opposition to mining (which wants to remain stealth as more as possible) and to trojan as well (who wants to propagate itself silently). We might assume a malware building factory who is overselling a small botnet. In any case, I don’t think it would be a state sponsored-attack against PIK-Group but rather a nice way to maximize profits on a relatively small botnet.

Further details, including Indicator of Compromise (IoCs) are reported in the analysis published by Marco Ramilli.

Share On

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

This site uses cookies, including for analytics, personalization, and advertising purposes. For more information or to change your cookie settings, click here.

If you continue to browse this site without changing your cookie settings, you agree to this use.AcceptRead More

Privacy and Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.